The Court of Appeal yesterday issued it's decision in the case by Mr Lloyd who is a champion of consumer protection against Google. We had commented on the first instance decision here. Mr Lloyd had sought permission to bring a representative, or class, action against Google. Mr Lloyd makes the claim on behalf of a class of more than 4 million Apple iPhone users. He alleges that Google secretly tracked some of their internet activity, for commercial purposes, between 9th August 2011 and 15th February 2012.
The application for permission to proceed was refused on a number of bases but the most significant were that none of the represented class had suffered "damage" under section 13 of the Data Protection Act 1998 (the "DPA") and the members of the class did not have the "same interest" within CPR Part 19.6(1) so as to justify allowing the claim to proceed as a representative action. Google had argued that Mr Lloyd could not satisfy the "same interest" requirement and that the claim was "a contrived and illegitimate attempt to shoe-horn a novel "opt-out class action" into the representative action procedure".
No need to prove loss
Unlike in a normal claim, Mr Lloyd did not seek to prove in each case that the alleged wrongful act caused a loss. Instead he claimed the same amount by way of damages on behalf of each person within the defined class without seeking to allege or prove any distinctive facts affecting any of them, save that they did not consent to the abstraction of their data.
The Court of Appeal reversed the judge below and concluded that a claimant can recover damages for loss of control of their data under section 13 of the DPA without proving pecuniary loss or distress and that the members of the class that Mr Lloyd seeks to represent did have the same interest as one another and were identifiable.
The court relied on the decision in the phone hacking case of Gulati v. MGN Limited  EWCA Civ 1291 (CA) ("Gulati") to decide that, if damages are available without proof of pecuniary loss or distress for the tort of misuse of private information, they should also be available for a non-trivial infringement of the DPA, as both claims are derived from the same fundamental right to data protection contained in article 8 of the Charter of Fundamental Rights of the European Union 2012/C 326/02 (the "Charter"): "[e]veryone has the right to the protection of personal data concerning him or her".
The court was concerned to ensure that individuals be provided with an effective remedy for the infringement of data protection rights.
Class actions and litigation funding
This is an important decision that will be pored over by those involved with data protection, class actions and litigation funding and of course GDPR compliance. If it is possible to bring class actions for breaches such as this, and avoid the difficulty of proving loss in each case, then very substantial claims are likely to be brought, supported by litigation funders.